Karuna Therapeutics, Inc. 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

Karuna Therapeutics, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 06:39:53 EST.

Filings

10-K filed on 2024-02-22

Karuna Therapeutics, Inc. filed an 10-K at 2024-02-22 06:39:53 EST
Accession Number: 0000950170-24-018395

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management We recognize the importance of identifying, assessing, and managing material risks associated with cybersecurity threats, which risks include, among other things, operational risks, intellectual property theft, fraud, extortion, harm to employees or participants in our clinical trials, and violation of data privacy or security laws. Identifying, assessing, and managing cybersecurity risk is integrated into our overall enterprise risk management systems and processes. Our cybersecurity risk management program is informed by prevailing security standards and is designed to provide a framework for evaluating and responding to potential cybersecurity risks, and addressing cybersecurity threats and incidents to the extent they arise. This includes processes for assessing the severity of a cybersecurity threat, identifying the source of a cybersecurity threat, implementing cybersecurity countermeasures and mitigation strategies and informing and updating management and, as needed, the audit committee of our board of directors of cybersecurity incidents that may pose a significant risk for the business, as applicable. Security events and data incidents are evaluated, ranked by severity and prioritized for response and remediation. Incidents are evaluated to determine materiality as well as operational and business impact, and reviewed for privacy impact. An important component of this program is employee awareness of and vigilance regarding cybersecurity risks, which we promote through periodic training and testing. Recognizing the complexity and evolving nature of cybersecurity threats, incidents and risks, we engage third-party experts, including managed IT service providers and cybersecurity consultants, to evaluate and support our risk management systems. We also have processes to assess third party risks, and we perform third-party risk management to identify and mitigate risks from third party providers, such as vendors, suppliers, CROs, and other business partners associated with our use of third-party service providers. As of the date of this Annual Report on Form 10-K, risks from cybersecurity threats have not materially affected, and we do not believe are reasonably likely to materially affect, us, our business strategy, results of operations, or financial condition. However, cybersecurity threats are constantly evolving, becoming more frequent and more sophisticated and are being made by groups of individuals with a wide range of expertise and motives, which increases the difficulty of detecting and successfully defending against them. While we have implemented measures to safeguard our operational and technology systems, the evolving nature of cybersecurity attacks and vulnerabilities means that these protections may not always be effective. For more information about these risks, please see Risk Factors Cyber-attacks or other failures in our telecommunications or information technology systems, or those of our collaborators, contract research organizations, third-party logistics providers, distributors or other contractors or consultants, could result in information theft, data corruption and significant disruption of our business operations. in this Annual Report on Form 10-K. Cybersecurity Governance Our board of directors has overall oversight responsibility for our risk management, and delegates information security and related risk management oversight to the audit committee of the board of directors through the audit committee charter. Members of the audit committee receive updates on a regular basis from management regarding matters of cybersecurity. This includes existing and new cybersecurity risks, how management is addressing or mitigating those risks, cybersecurity and data privacy incidents (if any), and the status of key information security initiatives. 119 Management is responsible for identifying, considering and assessing material risks for the business on an ongoing basis, including in relation to cybersecurity. As part of this process, our Vice President of Information Technology is tasked with establishing processes to ensure that potential cybersecurity risk exposures are monitored, putting in place appropriate mitigation measures and maintaining cybersecurity programs. Our Vice President of Information Technology receives reports from our cybersecurity team and oversees the monitoring of the prevention, detection, mitigation, and remediation of cybersecurity incidents, if any. In addition, our Vice President of Information Technology reports cybersecurity incidents to our compliance committee, which is composed of relevant members of management, and, where appropriate, to the audit committee. Our Vice President of Information Technology and our cybersecurity team are experienced information systems security professionals. These individuals, working with cybersecurity vendors, including managed IT service providers and training partners, monitor for vulnerabilities and threats, which are reported to other members of management, where appropriate.

Company Information